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METHOD AND SYSTEM FOR ACCESSING INTERNET RESOURCES THROUGH 
A PROXY USING THE FORM-BASED AUTHENTICATION 

Technical field 

The present invention relates to the Internet environment 
5 wherein a user addresses requests for getting Internet 
resources to a proxy which transmits these requests to a 
content server able to provide the Internet resources and 
relates in particular to a method and system for accessing 
Internet resources through a proxy using the form-based 
10 authentication. 

Background 

The Service Provider market moves up the value chain from pure 
connectivity services to deliver value-added and revenue 
generating services. The business model of a Service Provider 

15 which was initially driven by minutes of use is being more and 
more replaced by data traffic, generated by users that access 
either internal services owned and maintained by the Service 
Provider itself or external services not maintained by the 
Service Provider but accessed through the Service Provider 

20 platform. In addition to growing their customer bases, the 
service providers are now looking to increase the average 
revenue per user to boost revenues. More compelling services 
such as content, commerce, and applications promise higher 
profit margins, improved customer retention, and greater 

25 customer satisfaction. Yet, managing and distributing these 
third-party services or content services present significant 
challenges to service providers. Therefore, the Service 
Provider plays a key role since it is the intermediary between 
the end-user and the internal or external services. Its 

30 privileged position allows him to not only provide just 
"simple" access but added value services such as security, 
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single sign-on, billing, location, etc. at the condition that 
it cannot be "bypassed" by the user. 

In most cases, external services and partners that provide 
resources will do it for authenticated users only, meaning 
5 that they maintain and enforce the authentication and 
authorization of these users using their own user registry. 
Therefore, multiple authentication points may exist thus 
requiring the end-user to maintain multiple user IDs and 
passwords, and be prompted to authenticate multiple times in 

10 order to be able to access his personalized services. 
Obviously, this represents a fastidious step for the end-user 
to enter several times a couple of username /pas sword in order 
to access the Web services and therefore the Service Provider 
might loose any credibility towards its end-users if it does 

15 not provide a solution to this problem. A solution is to 
provide a "Single Sign On" feature to their end-users giving 
them the possibility to use the same User Id and password for 
all services being internal or external that require 
authentication. With this feature, user authentication only 

20 needs to be done once to access services requiring a user Id 
and password. 

At connection time, the Service Provider asks the end-user to 
identify himself as an authorized user by responding to a 
username/password prompt displayed on the user device in order 

25 to give end-users the benefit of personalized services and 
resources according to the end-users choices and preferences. 
As already mentioned, these personalized services and 
resources can be either internal services managed and 
maintained by the Service Provider or external services 

30 provided by content provider partners. 

The Service Providers and service and the content providers 
partners have to come to an agreement on how passing 
credentials about the end-users from the Service Provider to 
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the partners. The HTTP protocol is the transport protocol used 
for each communication involved, in one hand in the exchanges 
between the device being used to access the internal or 
external services provided by the service provider which is 
5 typically a Web browser and the Service Provider platform, and 
in other hand between the Service Provider and its service and 
the partners. Different techniques exist today such as the 
Basic HTTP Authentication exchange defined in the HTTP 
standard, the HTTP cookies, customized HTTP headers, ... can be 
10 used to perform such integration around single sign-on. But 
this previous cases require business development and cost on 
each side allowing so the partners to directly trust the 
authentication done by the Service Provider platform. 

The Service Provider being the intermediary between the 
15 end-user and the internal or external services and, thanks to 
its privileged position, uses in most cases an HTTP proxy 
component deployed in its infrastructure forcing all end-users 
to go through and acting as a central authentication point for 
all end-users who wish to access personalized internal and 
20 external services and resources . 

The two well known and spread authentication methods on 
Internet are the HTTP Basic Authentication and the Forms-based 
authentication (a HTML form sent to the end-user prompting him 
to enter a couple username/password) , both over normal or 

25 secure encrypted connection. Although performing single 
sing-on with Basic Authentication is relatively easy (and most 
of the HTTP proxies in the market already support single sign 
on to back-end application server representing external 
service or content provider partners using the HTTP Basic 

30 Authentication as described in the HTTP specification) most 
servers choose not to use it as a means of authentication, 
primarily because the User Interface is un-sophisticated and 
set by the Web browser and also because it is limited to a 
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single hostname. Forms-based authentication is much more 
widely used because it is more flexible. Unfortunately, it is 
this very flexibility that makes single sign-on to form-based 
system so much difficult to handle insofar as the forms being 
5 used are various and different in function of the servers, 
thereby requiring a development cost. 

Summary of the invention 

Accordingly, the main object of the invention is to provide a 
method and a system allowing the service providers to reduce 
10 the cost of development to perform single sing-on in case of 
partners using a form-based authentication, thereby avoiding 
any additional development effort and cost on both sides 
(service providers and partners) . 

The invention relates therefore to a method for accessing from 
15 an Internet user to Internet resources provided by at least a 
content server in a data transmission system including a proxy 
connected to the Internet network, the proxy being adapted to 
perform the form-based authentication of the user when 
receiving a user request for Internet resources therefrom, and 
20 wherein the proxy transmits the user request to the content 
server which sends back a response to the proxy. Such a method 
comprises the following steps : 
-the transmission from said proxy to a Single Sign On (SSO) 
Server of the user request together with the credentials 
25 associated with the user, 

-the filling by the SSO server of a login form obtained from 
the content server, the form being filled by using the 
credentials , 

-the transmission by the content server to the SSO server of 
30 a response to the user request after receiving the filled 

login form from the SSO server, this response being then sent 
back to the proxy and, 
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-the transmission by the proxy of the requested information 
to the user, the information being contained in the response 
received by the proxy. 

According to another aspect, the invention relates to a data 
5 transmission system including a proxy connected to the 
Internet network and at least a content server to which a user 
can gain access by the intermediary of the proxy, this one 
being associated with authentication means adapted to perform 
the form-based authentication of the user when receiving a 

10 user request for Internet resources therefrom and wherein the 
proxy transmits the user request to the content server which 
sends back a response to the proxy. The authentication means 
comprise a Single Sign-On (SSO) server adapted to obtain a 
login form from the content server when receiving the user 

15 request from the proxy, to fill the login form by using the 
credentials associated with the user and to send back the 
filled login form thereby playing the role of the user 
regarding the content server, so that the content server can 
provide the requested information after authentication of the 

20 user. 

Brief description of fch© drawings 

The above and other objects , features and advantages of the 
invention will be better understood by reading the following 
more particular description of the invention in conjunction 
25 with the accompanying drawings wherein : 

D Fig. 1 is a schematic block-diagram showing a data 

transmission system according to the invention, 
D Fig. 2 is a schematic block-diagram representing the 
different data flows achieved between the elements of the 
30 data transmission system illustrated in Fig. 1, 

D Fig. 3 is a diagram illustrating the flows being achieved 
for each kind of request being transmitted by the user to 
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the proxy in the data transmission system illustrated in 
Fig. 1. 

Detailed description of the invention 

Referring to Fig. 1 representing a data transmission system 
5 used in the context of the invention, a service provider 
provides Web services to a plurality of users such as user 10 
through the Internet network 12 . Such web services can be any 
kind of information which can be furnished by a content server 
14. When the user wants to access to the content server, he 
10 transmits a request to a proxy 16. This proxy has at its 
- disposal a user registry (not shown) containing the 
information such as credentials of the users allowed to access 
the services provided by the service provider (generally the 
identification and password of the user) . 

15 The proxy 16 is connected to a Single Sign-on (SSO) server 18 
which is deployed in the service provider platform in order to 
recognize when a login form is presented and to be able to 
interpret it and respond accordingly. For this, the SSO server 
18 has at its disposal a configuration file 2 0 which provides 

20 details about signing on to the back-end server 14. The role 
of the configuration file 20 is to specify the URL of the 
login page into the server 14, the location of the login page, 
the name of the input field used for "username" and the name 
of the input field used for "password" . 

25 In a preferred embodiment of the invention, the SSO Server 18 
is an additional component, external to the proxy 16, and does 
not assume any specific behaviour different from the standard 
one that every proxy should implement- But it could also be 
closely integrated within the proxy itself, thus providing 

30 additional advantages (less components, no need for specific 
service entry point URL) at the additional cost of developing 
the functionality described in the invention inside it. 
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The diagram in Fig. 2 illustrates the steps achieved in the 
method. These steps are the following : 

1) The user logs on to the HTTP proxy 16. He accesses the 
back-end application service in content server 14 by 

5 clicking a specific URL provided by the service provider 
that identifies the service entry point and references to 
SSO server 18 . 

2) Upon reception of this request, the HTTP proxy 16 passes the 
user's authentication information to the SSO server 18 (e.g. 

10 A standard HTTP authorization header credential such as the 
authorization HTTP header described in the HTTP 
specification) . 

3) The SSO server 18 generates a GET request using the 
information from its configuration file, sends it to the 

15 content server 14 and obtains the custom login page and any 
session information such as cookies) . 

4) The SSO server 18 filters the login form and, using 
information from its configuration file, fills in the 
username /pas sword (together with any hidden fields, data, 

20 and session cookies) . 

5) The SSO server 18 generates a POST request and transmits it 
to the content server 14. This one authenticates the request 
and returns the result (plus session information if any) 
back to the SSO server. 

25 6) The SSO server 18 sends the HTTP response and any session 
information to the HTTP proxy 16. 

7) The HTTP proxy 16 forwards this information back to the user 
10. 
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8) -9) All subsequent requests to the content server 14 are 
routed across the standard junction to the content server 
(a junction is a configuration rule that exists in the 
proxy to handle the connection between the proxy and the 
5 content server) . 

The data flows corresponding to the different kinds of 
requests transmitted from the user are represented in Fig. 3. 

A. First request issued by the user 

The user sends the first request to the HTTP proxy, invoking 

10 the external URL configured in the Proxy (/). Since the 
invoked URL is protected, the Proxy sends an authentication 
challenge to the client. Different methods can be used to 
send this challenge (HTTP response code 401, form,...) . This 
is independent from the authentication technique required by 

15 the back-end servers. The user responds with its credentials 
(typically a user name and password) . The Proxy verifies 
these credentials against its user registry, and accepts 
them if they correspond to a valid user. It returns a HTTP 
response to the client. 

20 B. Processing of the HTTP request to the content server 

The user now sends a request towards a Back-end Service in 
the content server. From the invoked URL, the Proxy reroutes 
this request to the SSO server, augmented by the user 
credentials (such as the HTTP Authorization Header) 

25 collected in step A. The SSO server will then play the role 
of the user regarding to the content server. 

C. Content server authentication procedure 

The SSO server invokes the Login Form configured for the 
content server. This one responds with the Login Form. The 
30 SSO server "fill the form", and Post the user credentials to 
the content server. Since these credentials are valid, the 
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content server sends back an HTTP response to the SSO 
server, potentially augmented by a session Cookie, specific 
to the content server. The content of this cookie is opaque 
to the SSO server and to the Proxy, and will allow the 
5 content server to verify, on subsequent requests, that this 
user has been properly identified. Cookies are important in 
a form-based login environment because they are often used 
by the server to identify the users session. Obviously, 
precautions have to be taken around the Internet domain and 

10 the cookies, because a cookie will be replayed by a Web 
browser if it matches the Internet domain of the HTTP 
requests submitted. Optionally this response can be combined 
with a redirection towards the content server, which will 
allow subsequent requests to flow directly either from the 

15 Proxy to the content server, bypassing the SSO Server, or 
from the user directly to the content server. The SSO server 
forwards this response back to the Proxy, and then to the 
user . 

D. Subsequent requests 
20 The Proxy forwards subsequent requests directly to the 
content server, without going through the SSO server. In 
each request the user repeats the content server Session 
Cookie (if any), which is used by the content server to 
retrieve the user context . 

25 
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CLAIMS 

1. Method for accessing from an Internet user (10) to Internet 
resources provided by at least a content server (14) in a 
data transmission system including a proxy (16) connected 
to the Internet network (12), said proxy being adapted to 
perform the form-based authentication of the user when 
receiving a user request for Internet resources therefrom, 
and wherein said proxy transmits the user request to said 
content server which sends back a response to the proxy; 

said method being characterized in that it comprises the 
following steps : 

- the transmission from said proxy (16) to a Single Sign On 
(SSO) Server (18) of said user request together with the 
credentials associated with said user, 

- the filling by said SSO server of a login form obtained 
from said content server, said form being filled by using 
said credentials, 

- the transmission by said content server to said SSO 
server of a response to said user request after receiving 
the filled login form from said SSO server, said response 
being then sent back to said proxy and, 

- the transmission by said proxy of the requested 
information to said user, said information being 
contained in said response, 

2. Method according to claim 1, wherein said SSO server (18) 
has at its disposal a configuration file (20) for obtaining 
and filling said login form, said configuration file 
providing information about said content server such as the 
URL of the login page, the location of said login page, the 
name of the input field used for "username" and the name of 
the input field used f or"password" . 
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3. Method according to claim 2, wherein said response from 
said content server (14) sent back to said proxy (16) 
includes at least one cookie specific to said content 
server . 

5 4. Method according to claim 1, 2 or 3, further comprising an 
initial step of transmitting by said user (10) a first 
request to said proxy (16) invoking the external URL 
configured in said proxy, said proxy sending back an 
authentication challenge to said user in order to verify 
10 the user credentials and checking whether they correspond 

to a valid user. 

5. Method according to claim 4, wherein the subsequent 
requests after said user request transmitted by said user 
(10) are forwarded directly from said proxy (16) to said 
15 content server (14), the responses containing the requested 

information being transmitted directly to said proxy by 
said content server. 



6. Data transmission system including a proxy (16) connected 
to the Internet network (12) and at least a content server 

20 (14) to which a user (10) can gain access by the 

intermediary of said proxy, said proxy being associated 
with authentication means (18) adapted to perform the 
form-based authentication of the user when receiving a user 
request for Internet resources therefrom and wherein said 

25 proxy transmits the user request to said content server 

which sends back a response to said proxy; 

said system being characterized in that said 
authentication means comprise a Single Sign-On (SSO) server 
adapted to obtain a login form from said content server 

30 when receiving said user request from said proxy, to fill 

said login form by using the credentials associated with 
said user and to send back the filled login form thereby 
playing the role of said user regarding said content 
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server, so that said content server can provide the 
requested information after authentication of said user. 

7. Data transmission system according to claim 6, wherein said 
SSO server (18) has at its disposal a configuration file 

5 (20) for obtaining and filling said login form, said 

configuration file providing information about said content 
server such as the URL of the login page, the location of 
said login page, the name of the input field used for 
"username" and the name of the input field used 
10 for "password" „ 

8. Data transmission system according to claim 6 or 7 , wherein 
said SSO server (18) is external to said proxy (16) . 

9. Data transmission system according to claim 6 or 7, wherein 
said SSO server (18) is integrated within said proxy 
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METHOD AND SYSTEM FOR ACCESSING INTERNET RESOURCES THROUGH A 
PROXY USING THE FORM-BASED AUTHENTICATION 



Abstract 



Data transmission system including a proxy (16) connected to 
the Internet network (12) and at least a content server (14) to 
which a user (10) can gain access by the intermediary of the 
proxy, the proxy being associated with authentication means 
(18) adapted to perform the form-based authentication of the 
user when receiving a user request for Internet resources 
therefrom and wherein the proxy transmits the user request to 
the content server which sends back a response to the proxy. 
The authentication means comprise a Single Sign-On (SSO) server 
adapted to obtain a login form from the content server when 
receiving the user request from the proxy, to fill the login 
form by using the credentials associated with the user and to 
send back the filled login form thereby playing the role of the 
user regarding the content server, so that the content server 
can provide the requested information after authentication of 
the user. 
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